[DNFSB LETTERHEAD]
November 4, 2002
The Honorable Jessie Hill Roberson
Assistant Secretary for Environmental
Management
Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-0113
Dear Ms. Roberson:
The staff of the Defense Nuclear Facilities
Safety Board (Board) conducted two reviews of the process used for safety basis
development to support the design and construction of the Waste Treatment Plant
(WTP) at the Hanford Site. The staff
focused on the Preliminary Safety Analysis Reports (PSARs) and design basis
events (DBEs) for the pretreatment and high-level waste (HLW) facilities.
The WTP project has implemented a unique
Integrated Safety Management (ISM) review process intended to evaluate the design’s
adequacy, and to ensure that all safety issues have been addressed and that
safety functions have been captured and incorporated into the design. The staff’s reviews revealed that there may
be systemic weaknesses in this ISM review process. It appears that some of these ISM reviews are not sufficiently
rigorous. The staff identified a number
of conditions that were not adequately addressed in the PSARs and were not
captured during the ISM reviews. These
conditions may require additional controls or design modifications before sufficient
levels of safety are achieved.
Furthermore, the staff found that the design
calculations contain numerous unverified assumptions and incomplete design inputs
that were not being properly tracked.
It is critical that all assumptions be verified and all required design
inputs be available to support the aggressive construction schedule and to
ensure adequate time for a comprehensive design review.
The staffs review also revealed the safety
requirements delineated in Department of Energy (DOE) Order 420.1, Facility Safety,
and DOE standard DOE-STD-3009-94, Change Notice 2, Preparation Guide for
U.S. Department of Energy Nonreactor Nuclear Facility Safety Analysis Reports,
are not being fully met. Specifically,
DOE’s design contractor appears to have implemented a process that treats DOE’s
evaluation guidelines as fixed criteria for determining the acceptability of
the design. Appendix A to
DOE-STD-3009-94 clearly specifies that the evaluation guideline is to be used
for the classification of controls and identification of safety-class systems,
not as a firm acceptance criterion.
This misapplication of the DOE evaluation guideline could lead to the
development of a less-than-adequate design.
Pursuant to 42 U.S.C. § 2286b(d), the Board
requests a report within 60 days of receipt of this letter that documents how DOE will
resolve the deficiencies identified in the enclosed staff reports.
Sincerely,
John T. Conway
Chairman
c:
Mr. Roy J. Schepens
Mr. Mark B. Whitaker, Jr.
Enclosures
DEFENSE
NUCLEAR FACILITIES SAFETY BOARD
Staff Issue Report
October 3,
2002
MEMORANDUM FOR: J.
K. Fortenberry, Technical Director
COPIES: Board
Members
FROM: F.
Bamdad
S. Stokes
SUBJECT: Safety
and Design Basis Activities, Hanford Waste Treatment Plant
This report documents the results of a
review performed by the staff of the Defense Nuclear Facilities Safety Board (Board) of
safety and design bases for the Hanford Waste Treatment Plant (WTP). Staff members F. Bamdad, J. Contardi, M.
Feldman, J. Plaue, R. Quirk, S. Stokes, and A. Wong, together with the Board’s
site representative, M. Sautman, participated in this review. To perform this review, the staff examined
relevant documents; toured the construction site; and held on-site discussions
April 30–May 2, 2002, and follow-up discussions July 29–August 2, 2002.
Background. The
Department of Energy (DOE) has contracted with Bechtel National, Inc. (BNI) to design, construct, and
commission the WTP at Hanford. This
facility will treat and vitrify waste from the Hanford high-level waste tank
farms. The construction of this
facility has begun, and design calculations are being performed to support the
construction schedule.
Discussion. The
staffs review addressed two aspects of safety basis development for the WTP:
(1) the safety standards and processes generated by the contractor to
meet the requirements of DOE’s Office of River
Protection (ORP), and their application to design and construction activities
for the WTP; and (2) the design basis event (DBE) analyses supporting the
Preliminary Safety Analysis Reports (PSARs) for the high-level waste and
pretreatment facilities, a representative set of which was reviewed in
detail. The following discussion
summarizes issues identified by the Board’s staff related to safety standards
and processes that could have an adverse impact on the safety of the WTP
facility; the technical issues related to the DBE analyses are addressed in a
companion report.
Safety Requirements—BNI developed a Safety Requirements
Document (SRD) establishing a set of radiological and
chemical safety standards to meet the expectations of DOE-ORP. These safety standards are to be used in the
design, construction, and operation of the WTP facility.
The structures, systems, and components (SSCs)
that serve to provide reasonable assurance that the facility can be operated
without undue risk to the health and safety of the public and workers are
classified as important to safety. This
classification includes SSCs designated as safety design class (SDC) and safety
design significant (SDS), as well as some SSCs that provide defense-in-depth
called risk reduction components. The
SDCs are those SSCs identified to protect the public and workers from receiving
radiological or chemical exposures that exceed standards defined in the
SRD. Table 2-l of the SRD establishes
radiological dose standards that must be met to ensure adequate protection of
the public and workers. For example,
the criteria for protection of the public and workers from unlikely events
(probability of 1.0E-2 to 1.0E-4 per year) are 5 and 25 rem committed effective
dose equivalent (CEDE), respectively, and the criterion for extremely unlikely
events (probability of 1.0E-4 to 1.0E-6 per year) is 25 rem CEDE for both
populations.
Appendix B to the SRD establishes a
defense-in-depth approach by defining the minimum number of SSCs and associated
engineering requirements for the control of hazards of a particular
severity. This approach is intended to
be used in conjunction with the safety requirements discussed above. Table 1 of Appendix B lists the number and
attributes of the physical barriers, as well as the application of the
single-failure criterion to SSCs as required to implement defense in depth
adequately. The adequacy of defense in
depth for a given event is evaluated using numerical values given as target
frequencies. For example, for the
hazards of the highest severity level (SL-l), two independent physical barriers
are required, the single-failure criterion shall be applied, and the
probability of the event shall be less than 1.0E-6 per year after taking credit
for the controls.
The safety criteria and methodology
presented in the SRD, as applied by BNI, do not reflect several key
requirements for preparation of a PSAR as set forth in DOE Order 420.1, Facility
Safety, and DOE standard DOE-STD-3009-94, Change Notice 2, Preparation
Guide for U.S. Department of Energy Nonreactor Nuclear Facility Safety Analysis
Reports. The following examples
illustrate the issues identified by the staff:
·
The numerical
value of 25 rem given as the radiological exposure standard in Table 2-l of the
SRD for protection of the public is consistent with the evaluation guideline
established in DOE-STD-3009-94 for identification of safety-class SSCs. The DOE evaluation guideline was intended to
be used in conjunction with the unmitigated accident consequences for
identification of safety-class SSCs.
However, the staffs review identified several instances in which SSCs
were credited in comparing the consequences with the criteria given in Table
2-l of the SRD. For example, Section
3.4.1.1.5 of the PSAR for the HLW facility credits the high-efficiency
particulate air (HEPA) filters in calculating the consequences for comparison
with the SRD. This is in contrast to
the recommended approach in DOE-STD-3009-94—that the unmitigated consequences
should be compared with the evaluation guidelines for classification of the
SSCs. As a result, the safety
significance of the HEPA filters may have been masked due to the lack of
knowledge of the unmitigated consequences.
Follow-up discussions with the contractor revealed that the guidance on using the mitigated accident consequences as the basis for comparison with the radiological exposure standards in Table 2-1 of the SRD was provided by DOE-ORP. Any changes to this approach would require negotiations between the contractor and DOE, which are pending at this time.
·
Appendix A to
DOE-STD-3009-94 states that the evaluation guidelines are not to be used as
firm criteria when determining the acceptability of control
strategies/systems. Discussions with
contractor representatives revealed that these radiological exposure standards
are generally regarded as cut-offs for determining the effectiveness of a
control system.
·
BNI is using
target probabilities given in Appendix B of the SRD as acceptance criteria
without considering the uncertainties involved in the analysis. For example, an SL-1 event with a calculated
frequency of 0.65E-6 per year was given no further consideration because the
target frequency of 1.0E-6 per year was not exceeded. This approach does not reflect the substantial uncertainties in
this frequency estimate and could yield a design that does not fully develop
the defense-in-depth concept articulated in the SRD. Specific examples of the uncertainties discovered in several of
BNI’s frequency estimates are cited below:
- The probabilities used in frequency estimates were sometimes inappropriately based on a best estimate rather than a conservative estimate.
- When data on the failure probability of some systems were unavailable, assumptions used by BNI regarding the applicability of similar data did not appear to be technically justified. Moreover, the extrapolation of these data for use within the DBE analysis did not appear to have been done in a conservative fashion.
Follow-up discussions with DOE and its contractor confirmed the staff’s findings and resulted in a potential change to the defense-in-depth methodology applied to the WTP design. While the contractor has proposed replacing the quantitative frequency requirements with qualitative determination of the adequacy of the control set, there does not appear to be a clear methodology for identifying the required SSCs, their classification, and a concise definition of their boundaries. This activity appears to be work in progress and may impact the design of the SSCs important to safety if not completed in a timely manner.
Beyond Design Basis Accidents—The safe harbor to Title 10 of the Code of
Federal Regulations, Part 830 (10 CFR 830), Nuclear
Safety Management, for the WTP is DOE standard DOE-STD-3009-94. Section 3.4.3 of DOE-STD-3009-94 states that
an evaluation be performed that simply provides insight into the magnitude of
consequences of beyond design basis accidents (DBAs). This insight from beyond DBA analysis has the potential for
identifying additional facility features that could prevent or reduce severe
beyond DBA consequences. BNI, however,
does not evaluate the consequences of chemical hazards if the unmitigated
probability of an event is estimated to be less than 1.0E-6 per year. This practice may discount chemical hazards
with significant consequences (but low probability) that may warrant additional
controls to protect the public and workers.
DEFENSE
NUCLEAR FACILITIES SAFETY BOARD
Staff Issue Report
October 4,
2002
MEMORANDUM FOR:
J.
K. Fortenberry, Technical Director
COPIES: Board
Members
FROM: J. Plaue
and M. Feldman
SUBJECT: Safety
Basis for Waste Treatment Plant
This report documents two reviews by the
staff of the Defense Nuclear Facilities Safety Board (Board) of the Waste
Treatment Plant (WTP) at the Hanford Site.
This report focuses on technical concerns associated with Preliminary
Safety Analysis Reports (PSARs) and design basis events (DBEs) for the
pretreatment and high-level waste (HLW) facilities. A companion report addresses the staffs findings, associated with
the process used for safety basis development for this project.
The Department of Energy (DOE) has
contracted with Bechtel National, Inc. (BNI) to design, construct, and
commission the WTP at Hanford. The
purpose of these facilities is to pretreat and vitrify high-level and
low-activity waste as a means of remediating the existing inventory of the
Hanford tank farms.
Preparation of the safety and authorization
bases and the supporting design work are under way in support of ongoing
construction. The staff’s reviews
addressed the development of the DBEs to support the PSAR for the pretreatment
and HLW portions of the plant. The
following discussion summarizes significant issues related to the development
of DBEs and other technical matters.
Hydrogen Generation Rates.
Hydrogen is a significant hazard within the WTP. The current control strategy is to maintain
hydrogen concentrations below 25 percent of the lower flammability limit
(LFL). BNI’s design approach involves
providing sufficient dilution ventilation during all plant conditions (e.g.,
normal operating and upset conditions) and therefore requires an accurate
understanding of hydrogen generation rates within each WTP vessel. Dilution air is provided by the process
vessel purge (PVP) system.
BNI has chosen to model hydrogen generation
rates using a model developed for the tank farms.
This model was developed in the early 1990s to better understand
flammable gas generation in Tank SY-101.
The model is based on thermodynamic data taken from a single grab sample
of Tank SY-103 and excludes other data produced since that time. BNI believes that these data conservatively
predict hydrogen generation rates. In
developing the estimates for tank-by-tank hydrogen generation rates, however,
BNI is relying on the use of conservative inputs for only some of the
first-order parameters (temperature, total organic carbon, aluminum, and
radionuclide concentrations). This
approach may not produce sufficiently conservative generation rate values since
it does not address other important variables involved in hydrogen generation.
For example, under certain temperature and
waste conditions, thermolysis rather than radiolysis will be the dominant contributor
to the hydrogen generation rate. An
understanding of thermolysis conditions in each tank is therefore necessary. In particular, when thermolysis is the
driving mechanism, the hydrogen generation rate is exponentially dependent upon
input values for temperature and activation energy. It is unknown whether a PVP system sized for generation rates at
maximum operating temperature using the current estimation of activation energy
(91 kJ/mole) would adequately bound generation rates expected under the higher
temperatures of accident scenarios.
Furthermore, evidence exists to suggest that 91 kJ/mole is not a
conservative estimate of the activation energy within this system.
In at least one instance, the model
under-predicted by approximately 25 percent the hydrogen generation within Tank
AW-101 compared to that tank’s measured generation rates. This discrepancy is significant as Tank
AW-101 will provide feed during the initial WTP operating period (Phase
1). Moreover, this discrepancy
demonstrates that the current model may not yield conservative or bounding
hydrogen generation rates. A proper
understanding of the driving mechanisms behind hydrogen generation and the
sensitivity of various inputs is required, rather than an increase in the
conservative estimates for some individual inputs. Additionally, as the PVP system is currently in design and
nearing procurement, a sufficiently conservative predictive model for hydrogen
generation rates needs to be developed in a timely manner.
Erosion and Corrosion of Pipes and Vessels. The
staff performed a preliminary review of the project’s design activities aimed
at determining procurement requirements for the piping systems. The project has increased the pipe wall
thickness by 0.125 inch to allow for the predicted erosion of pipes due to the
movement of waste containing solid particles.
This allowance is based on the corrosion and erosion of similar
materials in straight pipes within the chemical industry. However, it does not account for higher
erosion in nonlinear segments, particularly in bends and elbows.
Cesium Ion Exchange. The
cesium ion exchange process (CXP) poses significant safety challenges due to
the high radiation field resulting from the accumulation of cesium-137 and the pressurized operation needed to
prevent fluidization of resin particles.
BNI is redesigning the CXP columns to address issues related to hydrogen
accumulation. The previous design
called for a gas separation vessel connected to the top of the CXP column via
piping. Concerns regarding the ability
of the column to adequately vent hydrogen during abnormal conditions prompted a
redesign. The new design eliminates the
gas separation vessel, instead carrying out the pressurized purge ventilation
functions in an enlarged column headspace.
During a loss-of-power event, two hazardous
conditions could impact the CXP system: (1) buildup of hydrogen gas, resulting in a
deflagration; and (2) overheating of the resin material, leading to an
explosion. As with all vessels, the BNI
strategy for preventing a hydrogen deflagration is to provide an
important-to-safety purge to the CXP columns to maintain headspace
concentrations below 25 percent of the LFL.
Overheating of the resin can be prevented by the addition of dilute
caustic or water to the CXP columns.
The current design includes an emergency elution capability; however,
use of this capability has not been identified as a control strategy. While the current control strategy should
adequately manage the overheating hazard, use of the emergency elution
capability would eliminate the hazards associated with organic ion exchange
resin under high radiation fields. It
is not clear to the staff why this capability has been included in the design
yet not credited as a preventive control strategy, and whether its utility for
safety purposes has been fully evaluated.
The staff observed several indications that
there may be a systemic failure to properly execute Integrated Safety Management (ISM)
within the project. The following
discussion illustrates the potential problems noted by the staff.
Feedback and Improvement: Tracking of Design Assumptions Critical to
Safety.
During the staff’s initial visit, design
assumptions used during safety analyses were not being tracked. BNI has taken the initiative to partially
remedy this situation by developing a method for tracking the closure of
unverified safety basis assumptions.
The database had not been fully developed and placed into use at the
time of the staff’s second visit, but it was clear that significant effort had
been expended to address this issue.
During a follow-on discussion with representatives of Research and
Technology (R&T) and Environment, Safety, and Health (ES&H), it did not
appear that research tasks necessary for closure of some unverified assumptions
were being properly communicated.
Specifically, discussions concerning nitric acid/resin reactions
revealed that ES&H personnel believed the data concerning aged and
air-exposed resins were still pending, while R&T personnel indicated that
the relevant experiments were complete, and no additional studies were
necessary. The staff believes that, to
ensure that all unverified safety basis assumptions are properly closed, BNI’s
tracking system should indicate the significance of an assumption to the
design, specify necessary research needs, and prioritize verification
activities. This is in addition to the
data tracking and issue resolution capability already in development.
Implementation of Safety Controls: Design Features Critical to Safety. In
discussions with BNI and DOE personnel, the Board’s staff expressed concern
that the ISM process may not be successfully capturing critical design features
being relied upon for safety. For
example, BNI determined that it was impossible for CXP resin to come in contact
with sodium permanganate. During
analysis, minimal vessel heel volume was identified as a design feature that
would dilute potential improper additions of sodium permanganate. The staff questioned whether this design
feature would be preserved for implementation in future safety requirements,
for example, to prevent emptying of the vessel and thereby creating a
significantly increased risk of CXP resin contacting sodium permanganate. Though BNI has developed a system for
tracking safety-related requirements, this minimal heel design feature was not
added to the database properly. As a
result of the staff’s inquiry, BNI is now tracking this specific design feature
correctly. A closer review of how the
ISM process records other design features and assumptions and their importance
to safety would be beneficial. At the
time of the staffs review, senior BNI ES&H personnel indicated that a
management assessment would be conducted to accomplish this review.
Analyze Hazards:
Unanalyzed Conditions. The
following scenarios identified by the staff did not appear to be identified and
evaluated during the ISM process:
Loss of Cooling Impacts—Currently, the
cooling of vessels in the pretreatment facility is
not classified as an important-to-safety
function; therefore, emergency/backup power is not supplied to this
system. Following a loss of cooling
capability, however, increased tank temperatures would result from ongoing
radioactive decay and chemical reactions.
This increased tank temperature would in turn result in hazards not
considered during the Hazard and Operability Analysis or the subsequent ISM
review:
·
Increased hydrogen generation rates—The rate of
hydrogen generation due to thermolysis is exponentially dependent on the waste
temperature (Arrenhius dependence). The
capacity of the PVP is currently based on expected maximum operating
temperatures. A loss-of-cooling
accident could result in significantly higher temperatures, and thus
exponentially higher hydrogen generation rates. As a result of the
staff’s inquiry, BNI is now evaluating the impact of this scenario on the PVP
design.
·
Ventilation
system loading—Significant
increases in tank temperatures would result in an increased vapor and aerosol
loading to the Process Vessel Ventilation System (PVVS). Preliminary calculations performed by BNI in
response to the staffs inquiry indicate that the increased load resulting from
just one tank boiling for the duration of a loss-of-offsite-power event (8
hours) could challenge the high-efficiency particulate air filtration capacity
of the PWS.
Flashing Through Spray Leaks—Several pipes, jumpers, and vessels located
within the
Feed Evaporation Process system operate
under temperature and pressure conditions such that a spray leak event could
cause the waste to flash to vapor. The
possibility of a flashing event for spray leaks was not evaluated by BNI. As discussed above, the increased vapor load
resulting from a flashing event could significantly increase the release of
radioactive material, and potentially result in a higher dose to the public and
workers than is currently evaluated in the severity-level calculations.
Engineering Calculations. The
staff’s initial review of DBE and severity-level calculations revealed that
these calculations lacked technical quality.
The weaknesses varied from small mathematical errors to possibly
inappropriate empirical correlations and unjustified assumptions. As a result of the staff’s observations
regarding poor-quality calculations, BNI undertook a detailed management assessment
of this issue. BNI’s review showed that
all calculations contained some errors, with an average of 40 errors per
calculation. Ultimately, BNI
implemented a more rigorous peer review process, augmented by external
reviewers, to address this issue. The
staff considers BNI’s approach regarding poor-quality calculations to be
timely, aggressive, and sufficient to resolve the problems identified. However, the ability of BNI to produce
high-quality technical products will continue to be challenged given the
schedule necessary to support construction, and consistent management vigilance
will be required.